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Introduction 

MaaS360 Mobile Enterprise Gateway provides simple, secure mobile access to behind-the-firewall information 
resources with no changes to your network or firewall security configuration. It provides mobile connectivity 
without requiring any inbound TCP/IP connections from services or devices outside your LAN. Our robust, secure 
communications technology, called MaaS360 Mobile Enterprise Gateway Link, is more efficient and more tolerant of 
sometimes-spotty wireless networks than traditional approaches. 

By eliminating the need to expose a mobile applications server to the public Internet, the MaaS360 Mobile 
Enterprise Gateway solution does not leave your network vulnerable to probes and attacks. Since it does not require 
the use of a VPN, you don’t have to worry about rogue apps on devices gaining access to your LAN, or the usability 
and management headaches associated with VPN use on mobile devices. 

Supporting a great experience for the mobile user, our technology provides the usability benefits of a native mobile 
application without the need to develop and deploy code across multiple mobile platforms. Instead, new features 
and functions can be added simply by making changes at the gateway. Unlike browser-based applications, where 
device caching and browser history can lead to dangerous security leaks, MaaS360 Mobile Enterprise Gateway 
technology ensures that confidential business data is never stored on devices in an unencrypted format, and that a 
user’s ability to transfer that information elsewhere can be limited by administrative policy. MaaS360 Mobile 
Enterprise Gateway technology ensures that corporate data can only be viewed on authorized mobile devices and 
the communication between the enterprise gateway and the mobile devices are fully encrypted. MaaS360 Mobile 
Enterprise Gateway’s link services will only be able to direct traffic between the devices and the gateway but will 
not be able to read encrypted traffic. 

With MaaS360, you don’t have to impose limits on what users can install, although you can easily block or enable 
individual devices. That’s important, as executives and employees expect to use their smartphones to access 
sensitive organizational data as well as their own personal applications. It’s also helpful if you need to expose 
selected applications and assets to partners, contractors, or other 3 rd parties for whom more general access to the 
organization’s network is undesirable. 
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High Level Architecture 

Here’s an architecture diagram of MaaS360 Mobile Enterprise Gateway implementation: 



Internal Systems 


Outbound only Acces 
Port 443 
(encrypted payloads) 


SSL Exchanges with 
M Intermediation Servers 
(encrypted payloads) 



Active Directory 


MaaS360 Mobile 
Enterprise Gateway 

Talks to Internal systems 
on LAN 

Outbound Access 
Port 443 

(encrypted payloads) 


Internal Systems 


Client: 

o The MaaS360 Secure Browser app is installed on mobile devices. 

o The app will be available via iTunes or Google Play, and can be pushed using the MaaS360 App 
distribution workflows. 

o The MaaS360 Secure Browser connects to the relay services via HTTPS and post requests or pick-up 
responses. 

o Even though the connections are HTTPS, the payloads themselves are also encrypted with AES256-bit 
encryption, and remain encrypted even on the device. 

o The mobile device itself is never on the organization’s network, nor does the MaaS360 Secure Browser 
ever directly see the network. This preserves network security and isolation. 

Gateway: 

o Server software that runs on a machine or VM on your organization’s internal network. 

o The gateway establishes outbound connections to the Gateway Relay services in the cloud, and 

processes any outstanding requests from mobiles and then posting the resulting payloads to the relay 
services. 

o This assures that no direct network connection happens from anywhere outside the firewall, preserving 
firewall integrity. 

Cloud Link Services: 

o Web services in the cloud that facilitates communications between the clients and your gateway 

o The Link service will not be able to read the encrypted communication between the clients and the 
gateway. 
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System Requirements 

MAAS360 MOBILE ENTERPRISE GATEWAY 


MaaS360 Mobile Enterprise Gateway provides the point of control for mobile access to business resources. Before 
beginning the installation, make sure the following requirements are met: 


Item 

Meets Requirement 

Physical or Virtual Machine with Windows Server 2008 RC2, 2008, or 
2003 as an installation target for the MaaS360 Mobile Enterprise 
Gateway. 

The MaaS360 Mobile Enterprise Gateway can run on 64-bit servers but 
still requires x86 support for some components. 


A service account that MaaS360 Mobile Enterprise Gateway can run as: 

• Member of Domain User group on your Active Directory 

• Member of Local Administrative group on the server 


.NET Framework 3.5 or higher is required 


Memory: 

• At least 2 GB of RAM is recommended. 

Disk drives: 

• MaaS360 Mobile Enterprise Gateway takes less than 1 5 MB of 
disk space. 

Processor: 

• Dual Core 


Access to the following URLs from the Mobile Enterprise Gateway 
machine: 

• Port 443 outbound used by the gateway to communicate with 
the MaaS360 Mobile Enterprise Relay Service over SSL. 

• There is no inbound port used for the relay. 

• Additional support for port 443 is available to enable Internet 
communication through a proxy server. 

o Hostname: *. gw. ml .maas360.com 

o The gateway Control Panel can be accessed via 
http://localhost:1456 on the gateway server 

o The gateway Control Panel can be accessed using the 
latest versions of IE, Chrome, Safari, and Firefox 
browsers 
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Supported clients: 

o iOS 5.0 and higher 
o Android 3.1 or later (carrier versions) 
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MaaS360 Mobile Enterprise Gateway Onboarding 

STEP 1: DOWNLOAD AND INSTALL THE GATEWAY 

1 . Log in to MaaS360 and browse to the Services page: (Setup >> Services on the new Ul or Manage >> Configure 
Services on the old Ul) 

2. Under Secure Browser section, you should see that the MaaS360 Corporate Intranet feature has been enabled. 
Note: if this has not been enabled, please contact your Fiberlink representative. 



Secure Browser is enabled 

Secure Browser for iOS and Android provides a full featured web browser for smartphone and tablet devices. IT administrators 
web content. 


Q URL filtering service 
^^^orporat^ntrane^ 

To Start: 

1. Download Mobile Enterprise Gateway and install in your Data center. 

2. Configure report schedule and recipients. 

3. Configure Secure Browser Policy. 

4. Deploy Secure Browser application from iTunes and/or Google Play. 

5. Configure MDM Device Policy to restrict Native Browser (if available). 


define URL filtering and security policies, ensuring that users only access approved 


3. Download the MaaS360 Mobile Enterprise Gateway software from the download link from Step 1 . 

4. Complete the installation process as shown below: 


MaaS360 Mobile Enterprise Gateway Setup'^V^^^^^Hfehte |w£3lj 


Welcome to the MaaS360 Mobile 
Enterprise Gateway Setup Wizard 

This wizard will guide you through the installation of 


MaaS360 Mobile Enterprise Gateway. 

MaaS360* 

It is recommended that you dose all other applications 
before starting Setup. This will make it possible to update 

by Fiberlink 

relevant system files without having to reboot your 
computer. 

Click Next to continue. 


Next > ] [ Cancel 
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STEP 2: CONFIGURE THE GATEWAY 


1 . Once the installation completes, a web page is launched that lets you activate and configure the MaaS360 
Mobile Enterprise Gateway. Start with the Click here to manage the gateway link. 



2. This launches the MaaS360 Mobile Enterprise Gateway’s Control Panel. 

a. Enter you username, email address, company name and a password for Control Panel access. 

b. Click Continue. 
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MaaS360 Mobile Enterprise Gateway contacts the MaaS360 Gateway Provisioning Server to activate your 
gateway, as shown above. 


3. Once the Enterprise Gateway is activated, you will receive an activation code to your registered email address 
from MaaS360@fiberlink.com 

Note: Please whitelist this address so that your mail server will deliver this code. 


Message 

^^^our MaaS360 Mobile Enterprise Gateway Activation Code - Message (Plain 

Sc* Ignore 
&Junk- Delete 
Delete 

^ ® % SIT 

Reply Reply Forward 

AH ^ More - 

Respond 

Rover Integration To Manager 

Team E-mail Done 

Reply & Delete 'T? Create New » 

Quick Steps Hi 

Rules- 

^OneNote 

Move 

-r |y Actions -r 

Move 

.. j ^ 

Mark Categorize Follow 
Unread ’ Up -r 

Tags fa 

From: C)MaaS360 

To: ll Kumar A 

Cc 

Subject Your MaaS360 Mobile Enterprise Gateway Activation Code 


MaaS360 Mobile Enterprise Gateway 

Hello, Kumar! Thanks for registering your MaaS360 Mobile Enterprise Gateway. 
Here's the activation code you need to start using your gateway: 
kokemoh < 

If you have any questions, contact us at ops(S>fiberlink.com . 


4. Enter the following information to activate the Mobile Enterprise Gateway: 

a. Enter the Activation Code from the email. 

b. Enter the Gateway Title. This is free-form text that gives a display name of your gateway. 

c. Select Access to current intranet applications option and click Continue. 
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This will complete the activation. 



5. Once the gateway is activated, the 6-digit MaaS360 Gateway instant access code will appear on your screen. 


Note: Please write down this code. It will be needed for policy configuration in the MaaS360 portal at a later 
step. 


r« MaaS360 Mobile Enterpri: x ^ 


C D localhost:1456/start 


/q 1. 


MaaSoou* Mobile Enterprise Gateway 

Step 3: Gateway activated... get started! 

Activation of your gateway is complete. 

To connect to your gateway with your mobile phone or tablet, you'll need to get the MaaS360 mobile app for your device. Then, run it and enter your gateway's instant access code: 

393-114 


kumara@ fiberlink com 
log out 


You can give this code to other users too, and check it again from the Network tab 

You can now begin to publish information to your remote users by adding items to the gateway's site menu. We've started by including some basic "welcome'' content, but you'll want to add your own files, folders, and connector 
applications soon. 

To do that, choose the Site tab from the next page, and then click Add item to this menu... to begin 
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STEP 3: RUN THE GATEWAY AS A SERVICE ACCOUNT 


Configuring the gateway to run as a Service Account is required for two reasons: 

1 . Authenticating users against your active directory server for authentication before intranet access 

2. Single Sign on (SSO) for intranet sites that uses NTLM authentication 

Steps to configure the service account are detailed below: 

1. Open the Services Console on the server (Start >> Run >> services. msc) 

2. Locate the service M aaS360 Mobile Enterprise Gateway 

3. Stop the service 


MaaSBSO Mobile Enterprise 
Gateway 


Stop the service 
Restart the service 


Description: 

Provides a secure platform for mobile 
access to business information. If this 
service is stopped, mobile users will 
no longer have access to information 
and applications published through 
the gateway. 


y- 


Name Description Status 

Startup Type 

|*| MaaS360 Mobile E... Provides a s... Started 

Automatic 

Media Center Exte... Allows Med... 

Disabled 

Microsoft .NET Fr... Microsoft.... 

Disabled 

Microsoft .NET Fr... Microsoft .... 

Disabled 

Microsoft .NET Fr... Microsoft.... 

Automatic (D... 

Microsoft .NET Fr... Microsoft.... 

Automatic [D... 

Microsoft iSCSI Ini... Manages In... 

Manual 

Microsoft SharePo... 

Manual 

Microsoft Softwar... Manages so... 

Manual 

Mozilla Maintena... The Mozilla ... 

Manual 


4. Right-click on the service and select Properties >> Select Log On tab. 

5. Enter a Service Account username and password and click Apply. The Service Account username must be a 
Domain user in Active Directory, and it must be part of the Local Admin group on the server where the 
installation is. 
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6. On the General tab, sel ect Start a nd make sure the service is running. 

MaaS360 Mobile Enterprise Gateway Properties {Local Computer] 1 ^* ^ 


General 


Log On Recovery Dependencies 


Service name: 
Display name: 

Description: 


MaaSSGO Mobile EnterpriseGate way 
MaaSSGD Mobile Enterprise Gateway 


Provides a secure platform for mobile access to 
ousiness information. If this service is stopped, 


Path to executable: 

C:\Program Files faB6)\MaaS360\Maa£3fi)O Mobile Enterprise GatewayVMa: 


Startup type: 


.Automatic 


Help me configure service startup options. 


Service status: Stopped 


I start I 


Stop 


Pause 


Resume 


You can specify the start parameters that apply when you start the service 
From here. 


Start parameters: 


OK 


Cancel 


Apply 
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STEP 4: CONFIGURE INTRANET SITES FOR GATEWAY ACCESS 


The MaaS360 Mobile Enterprise Gateway provides an Intranet Tunneling service that acts as an intermediary for 
requests from clients seeking resources from other intranet sites or services. 

The MaaS360 Secure Browser client connects to the MaaS360 Mobile Enterprise Gateway requesting a connection to 
other resource available from a different server. The MaaS360 Mobile Enterprise Gateway evaluates the request 
according to its policy rules. If the request is validated by the policy, the MaaS360 Mobile Enterprise Gateway 
connects to the relevant server and requests the resource for the client. 

Follow the steps below to configure intranet sites that can be accessed via MaaS360 Secure Browser: 

1 . Log in to MaaS360 Mobile Enterprise Gateway’s Control Panel ( http: //localhost: 1456) 

2. Enter your username and password (from the Gateway Activation page) to log in to the console. 




3. Select Policies menu and go to Hosts to which the gateway may provide proxy access. 


MaaSjbt/’ Mobi,e Enterprise Gateway 

Home Site Users Network Devices Policies 

Connectors Licenses Help About 

Here you can define policies that enhance the security of the information that the gateway provides to mobile users. 

Generic browsers may access gateway: 

No. remind users that the MaaS36Q mobile app is required Q 

Mobile access requires PIN entry: 

only if enabled by user Q 

Mobile access requires password entry every: 

24 hours | ▼ | 

Users may email item content to others: 

Yes0 

Users may open item content with other device apps: 


Users may save images to device's photo library: 

Yes 

1 Hosts to which the gateway may provide proxy access: 

| * fiberlink.com 




4. Add the hostnames of the sites that needs to be allowed through MaaS360 Secure Browser to this field. 
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Click on Save policy settings once the list is complete. 

This is the Proxy Access List. It accepts comma-separated values of hostnames that must be allowed. Wild 
characters like * and ? are also supported. Here are some examples: 


Use Case 

Proxy Access List 

Allow individual intranet sites 

siteOI .mydomain.com, site02.mydomain.com, 
site03.mydomain.com 

Allow any site with a particular sub-domain 

*. mysubdomain.mydomain.com 

Selective sites from certain domains 

\mysubdomain01 .mydomain.com, 
site02 . mysubdomai n02 . mydomain . com 

Allow any intranet site to be accessed 

(This will cause your email, OWA, SSL sites to be proxied 

through the gateway . ) 

*. mydomain.com 


If you need to modify or delete hostnames from your Proxy Access List, the changes must be made to Hosts to 
which the gateway may provide proxy access field and saved. 

The next time the MaaS360 Secure Browser connects to the gateway-either when the user authenticates or the 
next time the user tries to connect to the intranet site-the updated Proxy Access List gets pushed to the 
connecting mobile devices. 


STEP 5: CONFIGURE ALLOWED NUMBER OF DEVICES PER USER 


MaaS360 Mobile Enterprise Gateway provides the administrator the ability to limit the number of devices that can 
be used by one user to access intranet sites using the MaaS360 Secure Browser. The default can be set to 1 device, x 
devices or any number of devices. This setting can be overridden for specific users as well. 
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In order to configure this setting, select the Users tab and choose one of the following settings: 


MaaSdbU’ Mobi,e Enterprise Gateway 


Home Site Users Network Devices Policies Con ne dors Licenses Help About 


Create user accounts for your mobile employees and trusted partners so they can 
securely access selected company information from the MaaS360 mobile app. You'll need 
to provide their name, email address, and password. Please be sure that each user has the 
Maa.S36Q mobile app installed on their mobile device. 

You can also select a current user to update their information or change their logon 
credentials. Type in the search box to find users whose first name, last name, or username 
start with the characters you enter. 

Account discovery 

In addition to creating user accounts here, you can automatically grant access to mobile 
users who present a valid Windows username and password. A gateway account will 
automatically be created for that person. If you enable this feature, please ensure that you 
have enough seat licenses for everyone. 

Z Automatically create accounts for users with valid Windows credentials 

New users' permission to use new devices: 

© May not use new devices until administrator approval 
© May use up to 03 new device(s) until this time tomorrow [£] 

® May use any device 


Save device permission settings 



Add a new user 


[Search. .. 

p 

£ 

fiberlinkVkumam 

fiberfink\kumara 



© A, Kumar 

kumara@fiberfink.com 


STEP 6: CONFIGURE MAAS360 SECURE BROWSER POLICIES 


You will need to configure the MaaS360 Secure Browser policies to integrate with the installed MaaS360 Mobile 
Enterprise Gateway to enabled access to published intranet sites via the MaaS360 Secure Browser. 

1 . Log on to MaaS360 portal: https: / /portal. fiberlink. com 

2. Browse to Manage >> Manage Device Policies or Security >> Policies 

3. Select a Secure Browser policy 

4. Click Edit 

5. Select Enterprise Gateway Settings 
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Default Secure Browser Policy 

Secure Browser Policies ^ Actions ▼ 

X Cancel 



*)Back to Results 

Last Successful Publish: 

Default Secure Browser Policy f 

Description: 

Default Secure Browser Policy ^ 


03/01/2013 07:51 EST [Version: 2 ] 




Browser Settings 

Configure Mobile Enterprise Gateway for Intranet access 

Relevant only with Mobile Enterprise Gateway service. 




URL Filtering Settings 

@ Enterprise Gateway Settings 





Mobile Enterprise Gateway Access Code 




C O' j Enterprise Gateway Settings 

Specify the Access Code generated during installation of the Enterprise 
Gateway 




Notification Settings 

Domain 

Leave this blank to use user’s corporate domain. 

1 

1 





Application Timers 

Username 

Leave this blank to use user’s corporate username. 

1 

1 



a 



Cache credentials in the App 


If checked, specified credentials will be locally cached and user will not 
be prompted again till authentication fails. 




6. Enter the Gateway access code (6-digit number) you obtained during gateway activation. Do not include the 
hyphen, just the digits 

7. The username and domain fields are pre-populated for each user to authenticate against the gateway. This 
information is available from the enrollment request 

8. There is an option to cache credentials locally in the app. If it’s selected, the user is not prompted again for 
authentication each time the device accesses an intranet site. We recommend that it be selected for a better 
end user experience 

9. Save and publish the policy 


STEP 7: DOWNLOAD THE SECURE BROWSER AND AUTHENTICATE AGAINST THE GATEWAY 

1 . Download and install the MaaS360 Secure Browser on the device-either from iTunes, Google Play or the App 
Catalog 

Note: It is recommended that you distribute the iOS and Android Secure Browser to enrolled devices via 
MaaS360 so the user can install the apps from the MaaS360 App Catalog. 

2. Ensure that the version of the App is 1 .10 or higher (e.g. : Settings >> Browser >> Version on iOS devices & 
Settings >> Apps >> Browser >> Version on Android devices) 

3. Open the browser app and you will be prompted to authenticate 
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4. The username and domain should be auto populated based on the AD credentials you used during the 
enrollment process. Enter your password to initiate authentication 

5. Once authenticated, the browser will load as usual. Now accessing an internal site will load the page on the 
MaaS360 Secure Browser 
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Support & Troubleshooting 

FREQUENTLY ASKED QUESTIONS (FAQS) 


All my users are unable to access one intranet site through the Secure Browser. How can I fix this? 

1 . Log on to the server on which the gateway is installed, open a browser and try accessing the intranet site. 

2. Try connecting the device to the corporate network-either Wi-Fi or VPN-and see if the site is accessible. 

3. If both (1) and (2) are not working, the intranet site might have gone down. 

4. Open the browser on the gateway, use developer tools and capture logs while loading the site in question. 

5. Gather Gateway logs (using procedure highlighted below) and send it to MaaS360 for analysis. 

None of my users are able to access ANY intranet sites through the Secure Browser. What should I do? 

1 . Log on to the server on which the gateway is installed, open the Services console and ensure that MaaS360 
Mobile Enterprise Gateway service is running. If not, start the service. 

2. With a test device, start the Secure Browser app, authenticate (if required) and confirm that you are able to 
access the intranet sites. 

3. If it’s still not working, open the browser on the gateway and try accessing intranet sites that are published. 
Check to see if there have been any recent firewall/proxy changes in your internal network that might be 
blocking this access. 

4. Gather gateway logs (using the procedure below) and send it to MaaS360 for analysis. 

How can I collect gateway logs? 

1 . Replicate the issue in question using the Secure Browser and note down the timestamp. 

2. Log on to the server on which the gateway is installed. 

3. Browse to C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway folder. 

4. Copy gateway*, log, portal-access*. log and proxy-access*, log to a folder 

5. Zip the contents of the folder and send it to MaaS360 support ( ops@fiberlink.com ) along with the timestamp 
when the issue was replicated. Please provide your account number with the logs. 

How can I collect Secure Browser logs? 

1 . Replicate the issue in question using the Secure Browser and note the timestamp. 

2. In iOS, go to Settings >> Browser and set Email Logs to ON. Open the browser. This will launch your default 
email client with a new email and logs as attachments. 

3. In Android, open MaaS360 App, then Settings >> Email Logs. On the Secure Browser Settings menu, there is an 
option to enable verbose logging as well, in case of assisted troubleshooting. 

What should I do to get the latest proxy access list on my Secure Browser? 

1 . Minimize the app and bring it to foreground, or log out of the browser and re-authenticate. This will cause the 
latest proxy list to be downloaded. 

2. To log out of the iOS Secure Browser, go to Settings >> Browser >> Intranet Access Signout = ON. 

3. To log out of the Android Secure Browser, access Settings menu from the Browser and go to Enterprise Gateway 
Settings to key in new credentials. 

How can I check the version of the Secure Browser installed on my device? 

1 . In iOS, go to Settings >> Browser, and version field indicates the version of the browser. 

2. In Android, go to Settings >> Application Manager >> Browser to access the version. 
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